Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Similar documents
Unwanted Traffic: Denial of Service Attacks. Original slides by Dan Boneh and John Mitchell

Unwanted Traffic: Denial of Service Attacks

Unwanted Traffic: Denial of Service Attacks

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

network security s642 computer security adam everspaugh

Chapter 7. Denial of Service Attacks

Network Security. Tadayoshi Kohno

CSE 565 Computer Security Fall 2018

COMPUTER NETWORK SECURITY

ELEC5616 COMPUTER & NETWORK SECURITY

Computer Security: Principles and Practice

Denial of Service. EJ Jung 11/08/10

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Internet Infrastructure

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

DDoS Testing with XM-2G. Step by Step Guide

Internet Security: How the Internet works and some basic vulnerabilities

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

CS670: Network security

Different Layers Lecture 20

Denial of Service (DoS)

Internet Protocol and Transmission Control Protocol

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Network Layer: Internet Protocol

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

CS Paul Krzyzanowski

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer and Network Security

CS244a: An Introduction to Computer Networks

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

Internet Security: How the Internet works and some basic vulnerabilities. Slides from D.Boneh, Stanford and others

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Putting it all together

Network Security. Thierry Sans

Security. - All kinds of bad things attackers can do over the network. Next lecture: defense building blocks

DNS Security. Ch 1: The Importance of DNS Security. Updated

The big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control

CSc 466/566. Computer Security. 18 : Network Security Introduction

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

ECE 650 Systems Programming & Engineering. Spring 2018

20-CS Cyber Defense Overview Fall, Network Basics

Configuring Flood Protection

Hands-On Ethical Hacking and Network Defense

CIS 551 / TCOM 401 Computer and Network Security

Cloudflare Advanced DDoS Protection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

ECE 435 Network Engineering Lecture 23

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Configuring attack detection and prevention 1

Denial of Service (DoS) attacks and countermeasures

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Network Security (NetSec)

DENIAL OF SERVICE ATTACKS

CSCI-GA Operating Systems. Networking. Hubertus Franke

The big picture. Security. Some consequences. Three types of threat. Warm up: phishing. Danger: malicious servers

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Introduction to TCP/IP networking

Router Architecture Overview

Foundations of Network and Computer Security

ECE 435 Network Engineering Lecture 23

Introduction to Network. Topics

EC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane

Lecture 20 Overview. Last Lecture. This Lecture. Next Lecture. Transport Control Protocol (1) Transport Control Protocol (2) Source: chapters 23, 24

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Network Security Protocols NET 412D

Chapter 4: Network Layer

Denial of Service and Distributed Denial of Service Attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Configuring attack detection and prevention 1

Prevent DoS using IP source address spoofing

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

Attack Prevention Technology White Paper

ICS 451: Today's plan

CSC 4900 Computer Networks: Network Layer

Transport: How Applications Communicate

ECE 435 Network Engineering Lecture 10

Introduction to Computer Security

Master Course Computer Networks IN2097

Packet Header Formats

TCP/IP Networking. Part 4: Network and Transport Layer Protocols

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Transport Over IP. CSCI 690 Michael Hutt New York Institute of Technology

Network Security. Network Vulnerabilities

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Network and Internet Vulnerabilities

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

network security cs642 computer security adam everspaugh

HP High-End Firewalls

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

DDoS and Traceback 1

Transcription:

Dan Boneh, John Mitchell, Dawn Song Denial of Service

What is network DoS? Goal: take out a large site with little computing work How: Amplification Small number of packets big effect Two types of amplification attacks: DoS bug: Design flaw allowing one machine to disrupt a service DoS flood: Command bot-net to generate flood of requests 2

DoS can happen at any layer This lecture: Sample Dos at different layers (by order): Link TCP/UDP Application Payment Generic DoS solutions Network DoS solutions 3 Sad truth: Current Internet not designed to handle DDoS attacks

DoS Source Smurf amplification DoS attack 1 ICMP Echo Req Src: Dos Target Dest: brdct addr gateway 3 ICMP Echo Reply Dest: Dos Target DoS Target 4 Send ping request to broadcast addr (ICMP Echo Req) Lots of responses: Every host on target network generates a ping reply (ICMP Echo Reply) to victim Prevention: reject external packets to broadcast address

Modern day example (May 06) DNS Amplification attack: ( 50 amplification ) DNS Query SrcIP: Dos Target EDNS Reponse DoS Source (60 bytes) DNS Server (3000 bytes) DoS Target 580,000 open resolvers on Internet (Kaminsky-Shiffman 06) 5

6 Review: IP Header format Connectionless Unreliable Best effort 0 Version Header Length Type of Service Total Length 31 Flags Identification Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data

Review: TCP Header format TCP: Session based Congestion control In order delivery 0 31 Source Port Dest port SEQ Number ACK Number U A P P S F R C S S Y I G K H R N N Other stuff 7

Review: TCP Handshake C SYN: SN C rand C AN C 0 S Listening SYN/ACK: SN S rand S AN S SN C Store SN C, SN S ACK: SN SN C AN SN S Wait 8 Established

TCP SYN Flood I: low rate (DoS bug) 9 C SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 S Single machine: SYN Packets with random source IP addresses Fills up backlog queue on server No further connections possible

SYN Floods (phrack 48, no 13, 1996) OS Backlog queue size Linux 1.2.x 10 FreeBSD 2.1.5 128 WinNT 4.0 6 Backlog timeout: 3 minutes Attacker need only send 128 SYN packets every 3 minutes. Low rate SYN flood 10

A classic SYN flood example MS Blaster worm (2003) Infected machines at noon on Aug 16 th : SYN flood on port 80 to windowsupdate.com 50 SYN packets every second. each packet is 40 bytes. Spoofed source IP: a.b.x.y where X,Y random. 11 MS solution: new name: windowsupdate.microsoft.com Win update file delivered by Akamai

Low rate SYN flood defenses Non-solution: Increase backlog queue size or decrease timeout Correct solution (when under attack) : Syncookies: remove state from server Small performance overhead 12

13 Syncookies Idea: use secret key and data in packet to gen. server SN Server responds to Client with SYN-ACK cookie: T = 5-bit counter incremented every 64 secs. L = MAC key (SAddr, SPort, DAddr, DPort, SN C, T) [24 bits] key: picked at random during boot SN S = (T. mss. L) ( L = 24 bits ) Server does not save state (other TCP options are lost) Honest client responds with ACK ( AN=SN S, SN=SN C +1 ) Server allocates space for socket only if valid SN S. [Bernstein, Schenk]

SYN floods: backscatter [MVS 01] SYN with forged source IP SYN/ACK to random host 14

Backscatter measurement [MVS 01] Listen to unused IP addresss space (darknet) /8 network 0 monitor 2 32 Lonely SYN/ACK packet likely to be result of SYN attack 2001: 400 SYN attacks/week 2008: 4425 SYN attacks/24 hours (arbor networks ATLAS) 15 Larger experiments: (monitor many ISP darknets) Arbor networks Network telescope (UCSD)

SYN Floods II: Massive flood (e.g BetCris.com 03) Command bot army to flood specific target: (DDoS) 20,000 bots can generate 2Gb/sec of SYNs (2003) 16 At web site: Saturates network uplink or network router Random source IP attack SYNs look the same as real SYNs

Prolexic Idea: only forward established TCP connections to site Lots-of-SYNs 17 Lots-of-SYN/ACKs Few ACKs Prolexic capacity: 20Gb/sec link Prolexic Proxy can handle 40 10 6 SYN/sec Forward to site Web site

Stronger attacks: TCP connection flood Command bot army to: Complete TCP connection to web site Send short HTTP HEAD request Repeat Will bypass SYN flood protection proxy but: Attacker can no longer use random source IPs. Reveals location of bot zombies Proxy can now block or rate-limit bots. 18

DNS DoS Attacks (e.g. bluesecurity 06) DNS runs on UDP port 53 DNS entry for victim.com hosted at victim_isp.com DDoS attack: flood victim_isp.com with requests for victim.com Random source IP address in UDP packets Takes out entire DNS server: (collateral damage) bluesecurity DNS hosted at Tucows DNS server DNS DDoS took out Tucows hosting many many sites 19

Root level DNS attacks Feb. 6, 2007: Botnet attack on the 13 Internet DNS root servers Lasted 2.5 hours None crashed, but two performed badly: g-root (DoD), l-root (ICANN) Most other root servers use anycast Attack 20 in Oct. 2002 took out 9 of the 13 TLD servers

DoS via route hijacking YouTube is 208.65.152.0/22 (includes 2 10 IP addr) youtube.com is 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 2 8 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 is in Pakistan 21 Outage resolved within two hours but demonstrates huge DoS vuln. with no solution!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback